I'm trying to set up nginx as front-end and apache as back-end on my server. All goes as usual, I've installed libapache2-mod-rpaf. But apache doesn't see real client ip and some .htaccess restrictions based on ip don't work at all, cause apache sees only local ip.
Here is nginx vhost configuration^
server {
listen 80;
server_name domain;
location ~* ^/(admin/|dump/|) {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://domain:8080/ /;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://domain:8080/ /;
}
location ~* ^.+\.(jpg|swf|flv|ico|txt|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar)$ {
access_log /var/www/logs/domain.nginx.access.log;
error_page 404 = @fallback;
if ( $host ~* ^((.*).domain)$ ) {
set $proot /var/www/$1;
break;
}
if ( $host = "domain" ) {
break;
}
root /var/www/domain;
}
location @fallback {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
And here is apache vhost configuration:
<VirtualHost *:8080>
ServerName domain
DocumentRoot /var/www/domain
DirectoryIndex index.php
CustomLog /var/www/logs/domain.access.log combined
ErrorLog /var/www/logs/domain.error.log
ServerAdmin info@domain
AddDefaultCharset utf8
php_admin_value open_basedir "/var/www/mod-tmp:.:/var/www/domain"
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@domain"
php_admin_value upload_tmp_dir "/var/www/mod-tmp"
php_admin_value session.save_path "/var/www/mod-tmp"
AddType application/x-hwikipd-php .php .php3 .php4 .php5 .phtml
AddType application/x-hwikipd-php-source .phps
<Directory /var/www/domain>
Options All
AllowOverride All
</Directory>
</VirtualHost>
As I can see in nginx log:
xxx.yyy.98.14 - - [28/Jan/2012:02:08:29 +0400] "GET / HTTP/1.0" 403 179 "-" "w3m/0.5.3"
It sees my real ip.
But in apache log it sees only local ip:
127.0.0.1 - - [28/Jan/2012:02:08:29 +0400] "GET / HTTP/1.0" 403 390 "-" "w3m/0.5.3"
rpaf is enabled.
$ cat /etc/apache2/mods-enabled/rpaf.conf
<IfModule mod_rpaf.c>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 ::1
</IfModule>
$ cat /etc/apache2/mods-enabled/rpaf.load
LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf.so
$ ls -l /usr/lib/apache2/modules/mod_rpaf.so
-rw-r--r-- 1 root root 8488 Oct 17 20:47 /usr/lib/apache2/modules/mod_rpaf.so
So, what is wrong?
ps. I have restarted nginx and apache several times after saving this configs, but there are no any changes.
Change the
<IfModule "">reference frommod_rpaf.ctorpaf_module.This fixed the issue for me on Debian Squeeze and Ubuntu 12.04.
That's the correct behavior. Because only your applications (run on Apache) see the real IP. For example, install a sample application such as WordPress and install real-time analytics such as Piwik. Insert the Piwik code in WordPress footer and visit your WordPress site (after logging out). Now the Piwik would show the real IP instead of what is set at RPAFproxy_ips.
BTW, the /etc/apache2/mods-enabled/rpaf.conf file is missing one important directive. It should have RPAFheader. For example, my configuration file look like this...
You may also use X-Real-IP in place of X-Forwarded-For. In either case, please make sure nginx is configured to send real IP in its header. For example, if you use X-Forwarded-For, then your nginx configuration should contain the following...
mod_rpaf appears to have been depreciated in Debian Jessie, and further development halted. Switch to mod_remoteip, which is a default module in Debian Jessie.